Legal

Privacy Policy

Effective: July 2026 · Version 1

This policy describes how ModDex ("we", "us") collects, uses, and shares information when you use our website and services. It is meant to be read alongside our Terms of Service. A full cookie and local-storage inventory lives below in Section 11.

1. Who we are

ModDex is operated by the ModDex maintainers. You can reach us at [email protected] for any question about this policy or the way we handle your information.

2. What we collect

Account data

  • Username, display name, and email address you provide at sign-up.
  • Optional profile information you choose to add: bio, avatar, social links (CurseForge, Modrinth, GitHub, Discord, Reddit, X, Bluesky).
  • Hashed password and, if you opt in, second-factor secrets and recovery codes.
  • If you sign in with Modrinth, the Modrinth user ID, username, and the email Modrinth shares with us to link your account.

Content you submit

  • Reviews, ratings, written text, images, follows, library entries, stacks, votes, and content reports.
  • Any Discord webhook URLs you configure (stored encrypted at rest, used only to deliver notifications you opted in to).

Technical and security data

  • IP address, user-agent, and timestamps of authenticated visits, recorded for abuse prevention and moderation (table: user_ip_addresses).
  • Session cookies, CSRF tokens, and optional "remember me" tokens.
  • Cloudflare Turnstile telemetry on login, registration, and password-reset pages, used to detect automated abuse.
  • Cookieless event data from PostHog EU when you have consented to analytics: page paths, click counts, feature usage. No advertising identifiers and no cross-site tracking.

3. Why we use it and on what legal basis (GDPR Art. 6)

  • Performance of a contract: to create and operate your account, store and display your reviews and library, and provide the features you choose to use.
  • Legitimate interests: to moderate the community, prevent abuse, debug errors, and keep the service secure. We log IPs and user-agents for authenticated visits only and we balance this against your interests by minimising what we keep and how long we keep it.
  • Consent: for cookieless analytics (PostHog EU) where you are in the EU or UK. You can withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
  • Legal obligation: to respond to lawful requests, comply with tax and accounting rules, and meet our own legal duties.

4. Who we share it with

We do not sell personal information. We share data only with vendors who process it on our behalf to run the service. The current subprocessor list is:

  • Cloudflare Inc. (US): CDN, DNS, Turnstile CAPTCHA, R2 storage for review images.
  • jsDelivr (Global anycast): static JavaScript libraries loaded by the signed-in API documentation viewer at /api/docs only; not used on the public site.
  • PostHog Inc. (Frankfurt, EU instance; controller in US): cookieless product analytics, processed under PostHog's DPA and EU Standard Contractual Clauses.
  • Resend (Resend, Inc.; US region): transactional email, in-app notification email, and admin system announcements.
  • Meilisearch host: powers on-site search; receives non-PII project, review, and (id/name/username only) user index payloads.
  • Hosting provider: runs the application servers and database.

5. International transfers

Some of our processors are located outside the EEA or the UK. Where this is the case we rely on the European Commission Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum to provide appropriate safeguards.

6. How long we keep it

  • Account, profile, and content: for as long as your account exists.
  • IP address log (user_ip_addresses): 90 days from the last seen timestamp, then permanently deleted.
  • Moderation logs: up to two years for audit and dispute purposes.
  • Backups: rolled off within 30 days.
  • PostHog analytics: retained for up to 12 months.
  • Anonymous account-deletion audit row: kept indefinitely (contains only hashed values, not personal data).

7. Your rights

Depending on where you live, you have some or all of these rights:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: delete your account and associated personal data.
  • Portability: receive your data in a structured, machine-readable format.
  • Restriction or objection: limit how we process your data, or object to processing based on legitimate interests.
  • Withdraw consent: turn off optional categories at any time from the Privacy choices control in the footer.
  • Lodge a complaint with your local data-protection supervisory authority.

You can exercise the access, portability, and erasure rights directly from the Account tab of your Settings page (Download my data, Delete account). For everything else, email [email protected] We will respond within the time limits set by applicable law: without undue delay and within one month of receipt for GDPR and UK GDPR requests (this may be extended by up to two further months in complex cases, as permitted, and we will tell you if that applies), and within 45 calendar days for requests under the California Consumer Privacy Act as amended by the CPRA (which may be extended once by up to an additional 45 days when the law allows, with notice).

8. Communications and email

We send three kinds of email to your account address:

  • Transactional: account-related messages such as email verification, password reset, two-factor codes, and security alerts. These cannot be turned off while your account is active because they are necessary to operate the service.
  • Notification: per-event updates you can configure individually (review approved, report outcome, developer response, and so on). The defaults are listed in your Settings; you can turn any of them off, or disable email notifications entirely from the master switch.
  • System announcements: occasional updates from the ModDex team: planned maintenance, security advisories, terms or policy changes, and major new features. These are enabled by default. You can opt out at any time from your Settings under "System announcements". We rely on legitimate interest (GDPR Art. 6(1)(f)) for this category and limit it to service-related communications; we will never use it to share third-party offers or sell your data.

Every email we send contains a one-click link to your notification preferences. There is no separate mailing list; you opt in or out of each category in your account. For privacy questions you can reach us at [email protected]. Disabling a category in your Settings takes effect for any email that has not yet left our queue.

9. California notice (CCPA / CPRA)

In the last 12 months we have collected the following categories of personal information as defined by the California Consumer Privacy Act:

  • Category A: identifiers (account email, username, IP address).
  • Category B: California “customer records” information as defined in Civil Code § 1798.80 (such as account-related contact details). Log-in credentials may separately qualify as sensitive personal information under the CPRA.
  • Category F: internet activity (pages viewed when you have consented to analytics).
  • Category K: inferences are not generated from your data.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined by the CCPA/CPRA. We have not done so in the preceding 12 months and have no plans to do so.

California consumers have the right to know, delete, correct, and limit the use of sensitive personal information. To exercise any of these rights, use the Settings page or email [email protected]. You may also authorize an agent to make a request on your behalf. We will not discriminate against you for exercising any of these rights, and we do not offer financial incentives in exchange for personal information.

We honor the Global Privacy Control (GPC) signal: if your browser sends Sec-GPC: 1 we automatically treat that as an opt-out of analytics, and we record that decision in our consent log.

10. Children

ModDex is intended for users 13 years and older. In the European Economic Area and the United Kingdom, the minimum age to consent to information-society services is up to 16 in many countries, and some countries set a lower age (not below 13) where domestic law allows. You must meet the minimum age that applies where you live. If we learn that we have collected personal information from someone under that minimum age, we will delete it.

11. Cookies and similar technologies

We use a small number of strictly-necessary cookies and, with your consent, cookieless PostHog analytics. UI state such as filters, sorting, and pagination lives in the URL; the only browser-storage value we set is a strictly-necessary key that pins the interface to dark mode (see the full inventory below).

Categories

  • Strictly necessary: Required for the site to work. Always on; cannot be disabled.
  • Functional: Reserved. We do not currently store any UI preferences in cookies or browser storage.
  • Analytics: Cookieless product analytics (PostHog EU). Off by default in the EU and UK.

Full inventory

Name Provider Category Purpose Lifetime
moddex_session first-party Necessary Keeps you signed in and links your browser to your current session. Session / 2 hours
XSRF-TOKEN first-party Necessary Cross-site request forgery protection on form submissions. Session / 2 hours
remember_web_* first-party Necessary Optional "remember me" login token, only set if you check that box at sign-in. 5 years
moddex_consent first-party Necessary Stores your cookie preferences so we do not ask again on every page. 13 months
cf_chl_* / __cf_bm challenges.cloudflare.com Necessary Cloudflare Turnstile CAPTCHA challenge state on login, registration, and password reset pages. Up to 30 minutes
flux.appearance storage first-party Necessary Pins the UI to dark mode so Flux components do not flash the wrong theme on first paint. Persistent until you clear site storage

Global Privacy Control (GPC)

If your browser sends a Sec-GPC: 1 header (used by Brave, DuckDuckGo, and several privacy extensions), we treat it as an opt-out of analytics. We do not re-prompt you to enable it.

How to manage cookies

You can change your choices anytime by clicking "Privacy choices" in the footer of every page, or by clearing site data in your browser. Most modern browsers also let you block cookies entirely.

Updates

When we add or change a cookie we update this section and bump the consent version, which prompts you to review your choices again.

12. Changes to this policy

When we make a material change we will update this page, bump the policy version number at the top, and ask you to review your consent choices the next time you visit.

13. Contact

Questions about privacy can be sent to [email protected] or via the options described on our Contact page.